1 / 22

Outsourcing Security Analysis with Anonymized Logs

Outsourcing Security Analysis with Anonymized Logs. Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security through Collaboration Friday, September 1, 2006. Motivation. Managed Security Service Providers: Security outsourcing is a trend

ince
Download Presentation

Outsourcing Security Analysis with Anonymized Logs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2ndInternational Workshop on the Value of Security through Collaboration Friday, September 1, 2006

  2. Motivation • Managed Security Service Providers: Security outsourcing is a trend • Security monitoring is getting more complicated and sophisticated • Economical: assemble skilled security professionals • Effective: shared security infrastructure across organizational boundaries • Challenges • Sensitive data is shared • Data protected by privacy laws • Valuable information to competitors • Useful information to adversaries Outsourcing Security Analysis with Anonymized Logs

  3. Managed Security Service Provider Outsourcing Security Analysis with Anonymized Logs

  4. Problem Statement • What are the criteria for log anonymization that sufficiently protect privacy and guarantee MSSP’s efficiency? Outsourcing Security Analysis with Anonymized Logs

  5. Contributions • Case studies of common attack types based on classic logs • Derive a common set of anonymization criteria • Retain time interval dependence between records • Pseudonymize the external IP addresses re-identifiably • Pseudonymize the internal IP addresses re-identifiably and preserve some network topology information • First step for privacy-preserving MSSPs Outsourcing Security Analysis with Anonymized Logs

  6. NetFlows and Syslogs • NetFlows: network-based log • Timestamps • IP address pairs (source/destination) • Port pairs (source/destination) • … • Syslog: host-based log • Application level critical events Outsourcing Security Analysis with Anonymized Logs

  7. Which Data is Sensitive? • Identity information • External (source) IP • Partner, common guest and adversary • Internal (destination) IP • Internal user • System privacy & security • Timestamp • When the transactions happen • Destination port number • Services and applications hosted on the system • Subnet number • Internal network structure • Records number • Overall resource usage Outsourcing Security Analysis with Anonymized Logs

  8. Log Anonymization Mechanisms • Timestamp anonymization • Time unit annihilation • Random time shifts • Enumeration • IP address anonymization • Truncation • Random permutation • Prefix-preserving pseudonymization • Port number anonymization • Bilateral Classification • Black Marker Anonymization • Random permutation Outsourcing Security Analysis with Anonymized Logs

  9. Traffic Traces Logs: Port Scan • Scan all ports of a single host: • Source: same address, different port numbers • Destination: • Same addresses • Different ports (sequentially) • In a short time Outsourcing Security Analysis with Anonymized Logs

  10. Traffic Traces Logs: DoS/DDoS • SYN Flood • Source: same addresses, same (or different) port numbers • Destination: • Same addresses • Same port (intended to a particular protocol or application) • Protocol / Packets/ Packet size • In a short time Outsourcing Security Analysis with Anonymized Logs

  11. Anonymization Constraints on Traffic Traces Logs • Timestamp (Start Time) • Events interval and time dependence should be retained • Anonymization • Time unit annihilation • Random time shifts • Enumeration Outsourcing Security Analysis with Anonymized Logs

  12. Anonymization Constraints on Traffic Traces Logs (cont.) • Source/Destination IP address • Anonymized and re-identifiable • Retain virtual network topology (dest.) • Anonymization • Truncation • Random permutation (pseudonyms) • Source (external) IP address • Prefix-preserving pseudonymization • Destination (internal) IP address Outsourcing Security Analysis with Anonymized Logs

  13. Anonymization Constraints on Traffic Traces Logs (cont.) • Source/Destination port number • Contain sensitive information • More efficient if retained • Anonymization • Bilateral Classification • Black Marker Anonymization • Random permutation Outsourcing Security Analysis with Anonymized Logs

  14. Syslog Syslog + Tcplog Time Stamp Host Name (IP) Source Port Dest. Port Message Active Operating System Fingerprinting Outsourcing Security Analysis with Anonymized Logs

  15. Anonymization Constraints on Syslog Outsourcing Security Analysis with Anonymized Logs

  16. Sensitive Data After Anonymization • Traffic volumes • Batched upload • Aggregate volumes • Dummy log records • Sacrifice the efficiency at MSSP • False positives and false negatives • Size of customer base; customer retention • Change the pseudonym mappings periodically • Structure of the internal network • Simple pseudonyms • Periodic rotation of pseudonyms • Policy dependent Outsourcing Security Analysis with Anonymized Logs

  17. Conclusion • Sensitive data should be anonymized for security monitoring • Constraints on log anonymization • Sensitive data leakage after anonymization and countermeasures • Privacy and efficiency is a trade-off Outsourcing Security Analysis with Anonymized Logs

  18. Future Work • Analyze other attacks • Anonymization strategies for wide range of attacks • Patterns of attack detection and general principles • Study other log formats and types • Analyze correlation of different logs across different organizations Outsourcing Security Analysis with Anonymized Logs

  19. Q & A • Jianqing Zhang jzhang24@cs.uiuc.edu • Nikita Borisov nikita@uiuc.edu • William Yurcik byurcik@ncsa.uiuc.edu Outsourcing Security Analysis with Anonymized Logs

  20. Anonymization Constraints on Traffic Traces Logs Outsourcing Security Analysis with Anonymized Logs

  21. Port Scan (cont.) • Portmap scan: • Source: same address, different port numbers • Destination: various addresses, same port (portmap daemon) • In a short time Outsourcing Security Analysis with Anonymized Logs

  22. DoS/DDoS (cont.) • Distributed SYN Flood • Source: different addresses, different port numbers • Destination: • Same addresses • Same ports (intended for a particular protocol) • Protocol / Packets/ Packet size • In a short time Outsourcing Security Analysis with Anonymized Logs

More Related